Firefox Now Supports HttpOnly Cookies

July 19, 2007

You may be surprised to learn that Microsoft Internet Explorer has supported a a security feature called HttpOnly cookies since IE 6 SP1. Firefox 2.0.0.5, which was released just the other day, now supports it.

When a cookie is HttpOnly the web browser should (see note about firefox implementation below) not allow client side scripts such as JavaScript to have access to the cookie. This can help mitigate the effects of cross site scripting (XSS) attacks.

To set a HttpOnly cookie with ColdFusion you need to use cfheader since cfcookie doesn't yet support HttpOnly.

<cfheader name="Set-Cookie" value="safe=maybe;HttpOnly">

It would be nice if the cfcookie tag simply had an attribute HttpOnly=true/false. Go make a wish. While you are at it it would also be nice to have a setting to make the CFID, CFTOKEN and jsessionid cookies httpOnly, or secure cookies.

Update: CF9 added a httponly setting to the CFCookie tag. And CF 9.0.1 adds HttpOnly to CFID and CFTOKEN cookies automatically.

Here's a MSDN doc with some additional info about HttpOnly.

Firefox's implementation of HttpOnly however still leaves open a big hole, as RSnake points out, you can do an XMLHttpRequest to get the cookie values from the HTTP response headers. When I test in IE 6 (RSnake's example doesn't work in IE), I don't have access to the Set-Cookie from the AJAX HTTP response header. +1 for MSIE.

Permalink | Add Comment |

add to del.icio.us | Tags: security, cookies, httponly, firefox, ie, microsoft, ajax

Related Entries

Client Variable Cookie CFGLOBALS Includes Session Ids - July 14, 2011
Setting up HTTPOnly Session Cookies for ColdFusion - September 13, 2010
Firefox 3.5 Introduces Origin Header, Security Features - June 30, 2009
AJAX on IE - back to the IFRAME - August 17, 2005
Cross Domain Data Theft using CSS - July 21, 2010

12 people found this page useful, what do you think?

Trackbacks

Trackback Address: 644/7BA6CDA184ED00E36C269C3AFB1E2FB5

Comments

On 07/19/2007 at 6:17:55 PM EDT Jeremy Prevost wrote:

Either I'm miss reading something or you forgot the word "not" in the first sentence of the second paragraph (before the parenthesis).

On 07/19/2007 at 8:18:44 PM EDT David A Herman wrote:

Shouldn't that be NOT allow? I was confused until I went to the MSDN site.

On 07/20/2007 at 6:39:18 AM EDT Tom Chiverton wrote:

You left a 'not' out of the 2nd paragraph - that confused me for a while because TFA goes on to say 'This attribute specifies that a cookie is not accessible through script. By using HTTP-only cookies, a Web site eliminates the possibility that sensitive information contained in the cookie can be sent to a hacker's computer or Web site with script.'

On 07/20/2007 at 9:44:19 AM EDT Dan G. Switzer, II wrote:

@Pete:

Did you mean to say:

"When a cookie is HttpOnly the web browser should *not* allow client side scripts such as JavaScript to have access to the cookie."

???

On 07/23/2007 at 1:21:05 PM EDT Pete Freitag wrote:

@Dan

Yes that is what it should say, thanks, fixed.

On 07/23/2008 at 10:20:53 AM EDT Phil wrote:

I'm a little confused and want to clarify. I have one main cookie file and I want to protect it's values. When I added : <cfheader name="Set-Cookie" value="safe=maybe;HttpOnly">

to my Application file it works but as I tool around the site it sets that "safe" value multiple times which I don;t want. So I did: <cfparam name="COOKIE.SECURITY" default="set; HttpOnly">

Is that doing the same thing and will it protect all my values? Or just the "SECURITY" value?

On 09/24/2008 at 7:27:43 PM EDT Jim Manico wrote: